In the last two decades, Treasury Management in Local Entities has undergone a strong evolution essentially due to the impact of new technologies on payment processes. The payment of obligations has become more efficient in its management mechanism, but security problems have inevitably increased as a result of fraud.
For several years now, we have observed that payment frauds have been occurring in companies and public administrations, normally by means of the method of impersonation of the identity of the legitimate third party beneficiaries of the payment.
This scam initially started with the “CEO fraud”, but the levels of technification of cybercrime have moved to a higher stage called “‘man in the middle”. These frauds are causing real economic damage to companies and public administrations that end up falling for a deception that appears simple in appearance, but which requires computer experts to carry it out.
CEO fraud is one of the most economically damaging crimes, also known as Business Email Compromise (BEC), is an attack in which a cybercriminal impersonates the CEO or other senior executive of an organization and sends an email to trick an employee into making unauthorized transfers or sending confidential information.
Man-in-the-Middle (MitM), on the other hand, is a type of attack aimed at intercepting, without authorization, the communication between two devices (hosts) connected to a network. This attack allows a malicious actor to manipulate the intercepted traffic in different ways, either to listen in on the communication and obtain sensitive information, such as access credentials, financial information, etc. …., or to impersonate one of the parties. For a “MitM” attack to work properly, the offender must ensure that it will be the only point of communication between the two devices, i.e. the offender must be present on the same network as the hosts targeted in the attack in order to change the routing table for each of them.
The middleman scam starts with the interception by cybercriminals of e-mails exchanged between their victims – companies and administrations – and customers and suppliers. By monitoring these communications, the hackers discover which invoices are pending payment and when they are due for payment. When the time is right, they impersonate one of these suppliers and, via email, inform the victim that payment of the invoice must be made into a new current account that has been set up.
The cybercriminals use the same e-mail address and even go so far as to forge bank certificates to make the deception look credible. When the money is deposited in the fraudulent account, it is immediately transferred to second and third accounts, losing its trace in a few days. Usually the accounts are opened in the name of an unknown person.
Fortunately, the impact of these frauds in Public Administrations, and especially in Local Entities, has been less than in Companies, because the latter have generally established a set of minimum security requirements in the fight against fraud (protocol of good practices), given that identity theft and fraud in payment processes is common currency these days.
One of the factors that have had an impact on this is the use of the Electronic Invoice, which increases the security of transactions since it allows the designation and therefore the validation and accreditation of third party accounts before the Local Treasury.
The increase in standardized collection and payment channels (CSB) and electronic collection systems, has given rise to the PSD2 Directive (Directive (EU) 2015/2366) which is a European regulation on electronic payment services and whose objective is to increase the security of payments in Europe, promote innovation and favor the adaptation of banking services to new technologies, does not correct the problem of identity theft.
Payment by bank transfer in the 34 countries of the European zone was standardized thanks to the identification of accounts with IBAN (International Bank Account Number; 20 numbers + four characters identifying the country and the IBAN control number); outside the EU, the BIC (Business Identifier Code) or SWIFT is used.
This PSD2 directive for Local Entities has laid the foundations for accessing online banking and reinforcing the security of electronic payments. It is an update of the previous directive that broadens its scope, eliminating national fragmentation,
Thanks to PSD2, security controls are introduced to prevent online fraud such as impersonation of the payment issuer. This makes it impracticable for a potential offender to carry out transactions in our name and access the products and services contracted.
The enhanced security introduced by the PSD2 Directive prevents unauthorized online payments and prevents the use of a stolen credit card thanks to SCA’s PSD2 two-factor authentication procedures.
In short, this Directive has increased the security of transactions, mainly due to the validation and authentication of the payer, but at the same time, as we have mentioned, there is an increase in cybercrime through identity theft in the processes of accreditation of third parties, in short, in the receiver of payments.